In an attempt to find the direct lines of accountability within Australian government entities where cybersecurity is concerned, the Joint Committee of Public Accounts and Audit (JCPAA) on Thursday was sent running in circles like a dog chasing its tail.
Australian government entities are required to comply with the Australian Signals Directorate's (ASD) Top Four mitigation strategies for cybersecurity compliance, despite there being an Essential Eight.
Commonwealth entities are responsible for their own assessments against the Top Four, and as the JCPAA previously requested -- a request that was agreed to by the government -- entities are required to report on their performance and compliance annually.
This annual assessment is provided to the Attorney-General's Department (AGD) and the Department of Home Affairs, through the ASD, and that data is then aggregated and anonymised before being thrown together as an overall performance report.
But as Shadow Assistant Minister for Cyber Security Tim Watts has pointed out at length before, there is no mechanism that allows the individual performance of Commonwealth entities to be probed.
"The issue with having publicly available detail on cybersecurity vulnerabilities is that it itself creates a vulnerability and the purpose of the cybersecurity posture report is to provide that at a non-detailed entity level," Sarah Chidgey from the AGD said in response.
When asked how individual Commonwealth entities are accountable to the Australian Parliament for their compliance with mandatory cybersecurity measures contained within the Protective Security Policy Framework (PSPF), Chidgey said it was a matter for Parliament as to what mechanisms they would choose to use.
"At present, is there no way that the Pa ..
Support the originator by clicking the read the rest link below.
